The IT Nerd

In part one of this investigation I dealt with the initial threat. In part two I tracked down the scammers and I unwrapped what these scammers were up to in part three. Now I will tell you how to avoid a scam like this.

Here’s the big hint that this is a scam. The scammers will likely be pretending they are calling from Microsoft or from “Windows,” “Windows Tech Support” or “Windows Service Center.” or even your ISP.

Fact: A legitimate company such as Microsoft, Apple, or Google would never call you in this manner. The exception might be your ISP. There’s a minute possibility that your ISP would call you if your computer has been infected with malware that could be sending out something from your computer. If a caller claims to be from your ISP, ask for the caller’s name, where his or her office is located, and for the office telephone number. Ask why you’re being contacted by telephone, what the issue with your computer is and how the ISP could tell it was your PC specifically that had a problem. If a call sounds legit, hang up and call the ISP yourself, then ask for the tech support department or for the person who called you specifically. Use a phone number listed on your ISP’s website or on your bill, not a number that the caller gave you. That way, you could confirm or deny if this is legit.

Now, if you get a call from a scammer. The best way to deal with them is to hang up. But if you want to do the world a favor, do the following….. Though I will not exactly go out of my way to recommend vigilante behavior like this:

1. The name of the company the scammer claims to work for, and the company’s website, phone number or address. Even the smallest pieces of info can lead one down the road of finding out who the scammers are and you’d be surprised how willing they are to give up this information to try and gain your confidence.
2. Hang up.
3. Report it. Microsoft has a Web page dedicated to reporting tech-support scams. The U.S. Federal Trade Commission has a website for fielding complaints, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada.

So, what happens if you get scammed? You need to act fast. First, shut down the computer. Then do this:

1. First download and install legitimate antivirus software. Then, run a scan to see if anything has been left behind. Then change the passwords on the user accounts on your PC. You don’t have passwords on the user accounts? You should precisely for this reason. If you don’t feel comfortable doing any of these items, call an IT expert for help.
2. If you gave the scammer your credit card number, then you really need to act fast. Call your credit card provider and either reverse the charges or cancel the card (my client did the latter).  Then you should also contact one of the three credit-reporting agencies. Namely Equifax, Experian or TransUnion and ask them to place a free 90-day credit alert on your file. For the record, Experian doesn’t operate in Canada but the other two do. The agency you contact will alert the others and you’ll be notified if someone tries to do something in your name.
3. Report it.

As you can see, getting hit by a scammer is not a trivial matter. You need to be on your toes to avoid this sort of thing. If you are, then you should never have to worry about the negative effects of being scammed. I’ve documented what People Connect Inc. were up to in this case, but there are lots of others who are just as evil. I hope this information helps to make sure that you are not a victim of something like this.

In part one of this investigation I dealt with the initial threat. In part two I looked at who the scammers who do business as People Connect Inc. are and showing that they are scammers. Now I will show you what these scammers were up to. Though, that took some effort.

First of all, I grabbed a ZIP file that was encrypted. I needed to break into it. Thus I reached out to a friend of mine who is a white hat hacker (in other words, a hacker that hacks to helps people rather than hurt them) to help with this. We used a program called John The Ripper on a custom computer with a series of Nvidia graphics cards to add computing power to the CPU to help to crack this ZIP file. It took several hours, but I had it cracked. When I got to look at the files, this is what I saw:

Here’s what these files do. First, there were four batch files:

• The first one is called execlock.bat and it takes away Internet access from dozens of websites using a supplied application called hosts.exe which is a Russian designed application that modifies a file on your computer called “hosts” which controls how your computer gets to the Internet. By doing this, it can make you think that you had a serious problem. But not enough to outright kill your Internet access (which would disconnect the scammers of course and keep the scammers from “fixing” things).
• The second one is called execunlock.bat and it restores the Internet access that was removed by the previous batch file.
• The third one is called lock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execlock.bat batch file that I mentioned earlier. This elevate.exe application allows one to bypass any security that might be present on the PC.
• The fourth one is called unlock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execunlock.bat batch file that I mentioned earlier. This elevate.exe application again allows one to bypass any security that might be present on the PC.

Now I believe that the purpose of these batch files is to create a “problem” for the scammers to fix so that they can take your money. But they didn’t stop there. The real threat is three other files that were present.

• The first threat is a file that I found called air.exe. It appears to be a remote control application which would allow someone in some other location to control a PC. It appears it is based on this application:

• Next on the list is are two pieces of software called Nautilus Blue.exe and Nautilus Green.exe which appears to be another remote control application called Show My PC which is based on this:

https://showmypc.com

Here’s the catch, these apps run an install that appears to install other software. That of course isn’t good as it implies that it would create a problem that would be persistent.

One note: I figured out how what this stuff was doing using a piece of software called Process Monitor so that I could log everything that these pieces of software do at very low levels. Be it network access, reading or writing to the hard drive, or whatever else these pieces of software decided to do. On top of that, I used a Windows 10 virtual machine via Parallels Desktop to do my testing so that I could take a snapshot of the environment before running this stuff and go back to that snapshot over and over again during my testing. Plus I would not have to risk a a real PC being infected with something at the end of my testing.

I have reason to believe that if they got a chance to run these files (which they didn’t because I pulled the plug on these guys), the scammers could remote control a PC at will. Plus nothing from a malware or antivirus perspective will detect this stuff as it is based on commercially applications which makes this stuff very dangerous. That makes the scammers very dangerous. Thus I will be submitting all of this to antivirus vendors in the hopes that they will come up with countermeasures against this stuff so that these scammers cannot use these tools do do their evil deeds.

In the final part of this investigation, I will give you my tips in terms of avoiding a scam like this.

UPDATE: On top of submitting the files that I found to a variety of antivirus vendors, I have reached out to AeroAdmin and ShowMyPC as well to inform them that their software is being used in this scam and might have been modified. I will update you if I hear from them.

UPDATE #2: ShowMyPC has been very helpful in terms of unwrapping the files named Nautilus Blue.exe and Nautilus Green.exe. Here’s what they said:

Of the 2 files you sent one of them, green one, it seems like a renamed/perhaps re-bundled or modified file of our free version.

Our free version has an interface that has to be launched, explicitly press a button to start, next a warning dialog to accept settings and before a user could use it. It is very restrictive in time and usage and unlike many other programs has no inbuilt functionality to start remotely.

Our exe does not install anything but does extract files while in use.
Just delete the main exe and if any temporary files exist. You can read about uninstalling and any temp files on this link.
http://showmypc.com/faq/uninstall-showmypc.html

Although its hard to say how the program was modified, however if it was used on your customers pc, we maybe able to help you track the remote IP of the users if they made any connection and we can block those users from using this.

Any session using our program can be easily reported here.
https://showmypc.com/faq/warning.html

Thanks for bring this to our notice, and we continue to keep a watch on any abuse report.

I’d like to thank ShowMyPC for their help with this, Now over to Aero Admin. I am working with them as well and I will update you when I have more info.